Format 0 : Protostar Writeup
After spending some time in stack buffer overflow challenges, here we are with a section dedicated only to format strings. There are tons of blogs on format strings and the vulnerability involved with it. So ill start with the challenge directly. Format strings are really interesting if you understand what they do. It did take me a while to understand the basics at first. So I’ll go through every challenge the way I understood format strings and hope you’ll be able to grasp the basic concept.
CHALLENGE
The source code is given to us.
void vuln(char *string)
{
volatile int target;
char buffer[64];
target = 0;
sprintf(buffer, string);
if(target == 0xdeadbeef) {
printf("you have hit the target correctly :)\n");
}
}
int main(int argc, char **argv)
{
vuln(argv[1]);
}
The input is taken in the argument and passed to the vuln() function. Here we have our target set to 0. We complete the challenge if the target variable is set to “0xdeadbeef”. This is what we did in stack buffer overflow challenges. We could overflow the buffer and change the value of the target. But doing that here spoils the entire fun of exploiting this with format strings. How do we exploit this with format specifiers only?
Before getting into the challenge, I’ll show some code that I wrote. This will make this challenge much easier.
int main(){int target = 5;printf("Hi this is :%64d " , target);return 0;}
So that aligns exactly 64 bytes. Let us change target to a big value.
int main(){int target = 50000;printf("Hi this is :%64d " , target);return 0;}
So that again gives the same 64 bytes. If you see it is aligned in such a way to give the same number of bytes always. That means %64p or any format specifier will give 64 bytes. Now let’s come back to the challenge.
Let us see how the stack diagram would have formed when we execute the challenge binary.
So if we overflow the buffer with 64 junk characters we will get to the target. I am going to use the same concept as in the example. Going to use %64s or any format specifier to align exactly 64 bytes. Then send deadbeef in little-endian format to complete the challenge.
$ ./format0 $(python -c "print '%64d' + '\xef\xbe\xad\xde'")
you have hit the target correctly :)
That’s it for the 0th challenge. Let’s move to the next challenge.
Hope you understood the challenge. Do check out my other blogs.
Don’t forget to give some claps if you reached here :) Follow me for more write-ups.
Goodbye:)